Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-06-2023 01:12
Static task
static1
Behavioral task
behavioral1
Sample
2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe
Resource
win10v2004-20230221-en
General
-
Target
2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe
-
Size
863KB
-
MD5
426937c153dd506951c7f40a94094c48
-
SHA1
fb1e60c760f716e3058e3187d701899ba136d6a2
-
SHA256
2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3
-
SHA512
4404e37eced0a0bfa8255e6549d0b9212cd7fd3be87b012879bbf9898b7ffa36d28c27525f4d2b9edc64100ab29e302afe4bbd2594f3810ad4e1701b13405103
-
SSDEEP
24576:Zjy6Akw+amJpYfdwzcfeJs9ReYWCW8kCt9g7:w6Akwhm0fdXO/D8j
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 3 IoCs
Processes:
Set-UP.exeWindowsDefenderUpdates.exeWindowsDefenderUpdates.exepid process 1804 Set-UP.exe 1772 WindowsDefenderUpdates.exe 1708 WindowsDefenderUpdates.exe -
Loads dropped DLL 1 IoCs
Processes:
WindowsDefenderUpdates.exepid process 1772 WindowsDefenderUpdates.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Set-UP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Set-UP.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Set-UP.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Set-UP.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
WindowsDefenderUpdates.exe2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\15b122136b434dc511739d7a4ab3aeae = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsDefenderUpdates.exe\" .." WindowsDefenderUpdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\15b122136b434dc511739d7a4ab3aeae = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsDefenderUpdates.exe\" .." WindowsDefenderUpdates.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
Set-UP.exedescription ioc process File created C:\Users\Admin\AppData\Local\MLXLFKOI\FileGrabber\Desktop\desktop.ini Set-UP.exe File created C:\Users\Admin\AppData\Local\MLXLFKOI\FileGrabber\Documents\desktop.ini Set-UP.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 freegeoip.app 7 freegeoip.app 17 api.ipify.org 18 api.ipify.org 19 ip-api.com 21 api.ipify.org 22 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Set-UP.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Set-UP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Set-UP.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Set-UP.exepid process 1804 Set-UP.exe 1804 Set-UP.exe 1804 Set-UP.exe 1804 Set-UP.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Set-UP.exeWindowsDefenderUpdates.exedescription pid process Token: SeDebugPrivilege 1804 Set-UP.exe Token: SeDebugPrivilege 1708 WindowsDefenderUpdates.exe Token: 33 1708 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1708 WindowsDefenderUpdates.exe Token: 33 1708 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1708 WindowsDefenderUpdates.exe Token: 33 1708 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1708 WindowsDefenderUpdates.exe Token: 33 1708 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1708 WindowsDefenderUpdates.exe Token: 33 1708 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1708 WindowsDefenderUpdates.exe Token: 33 1708 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1708 WindowsDefenderUpdates.exe Token: 33 1708 WindowsDefenderUpdates.exe Token: SeIncBasePriorityPrivilege 1708 WindowsDefenderUpdates.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exeWindowsDefenderUpdates.exeWindowsDefenderUpdates.exedescription pid process target process PID 836 wrote to memory of 1804 836 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe Set-UP.exe PID 836 wrote to memory of 1804 836 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe Set-UP.exe PID 836 wrote to memory of 1804 836 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe Set-UP.exe PID 836 wrote to memory of 1804 836 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe Set-UP.exe PID 836 wrote to memory of 1772 836 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe WindowsDefenderUpdates.exe PID 836 wrote to memory of 1772 836 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe WindowsDefenderUpdates.exe PID 836 wrote to memory of 1772 836 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe WindowsDefenderUpdates.exe PID 836 wrote to memory of 1772 836 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe WindowsDefenderUpdates.exe PID 836 wrote to memory of 1772 836 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe WindowsDefenderUpdates.exe PID 836 wrote to memory of 1772 836 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe WindowsDefenderUpdates.exe PID 836 wrote to memory of 1772 836 2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe WindowsDefenderUpdates.exe PID 1772 wrote to memory of 1708 1772 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 1772 wrote to memory of 1708 1772 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 1772 wrote to memory of 1708 1772 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 1772 wrote to memory of 1708 1772 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 1772 wrote to memory of 1708 1772 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 1772 wrote to memory of 1708 1772 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 1772 wrote to memory of 1708 1772 WindowsDefenderUpdates.exe WindowsDefenderUpdates.exe PID 1708 wrote to memory of 1768 1708 WindowsDefenderUpdates.exe netsh.exe PID 1708 wrote to memory of 1768 1708 WindowsDefenderUpdates.exe netsh.exe PID 1708 wrote to memory of 1768 1708 WindowsDefenderUpdates.exe netsh.exe PID 1708 wrote to memory of 1768 1708 WindowsDefenderUpdates.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Set-UP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Set-UP.exe -
outlook_win_path 1 IoCs
Processes:
Set-UP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Set-UP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe"C:\Users\Admin\AppData\Local\Temp\2f5e7c5c9f1f697bfeb2341ce42743172950f1edacf9ca503328364354bca3b3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exe"C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exe" "WindowsDefenderUpdates.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MLXLFKOI\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\MLXLFKOI\FileGrabber\Desktop\CheckpointAssert.bmpFilesize
624KB
MD5654ee8662e437d6441e98b4b8d4ece5e
SHA113bac5c778c0fc4fce440e9c02809672e0bdd8dd
SHA25670a9de4dd3d371e37c358fe7417c6787c3a3c4c952c188f2a95e9a9898b1484f
SHA512f802b0d7de87c90b1c05995c017933b93572fd651c8194fe9e41ad306efd2a50ff3877ba55c3d8a61c0a5827474016c5320ab10809c8f1ab309bae351010ca7b
-
C:\Users\Admin\AppData\Local\MLXLFKOI\FileGrabber\Desktop\RegisterUnlock.rtfFilesize
577KB
MD5c014ac4f356aecfee9e4934fe1f5ca37
SHA10c054234b3f6f74e0e11e89f7241f8e2852c0580
SHA256c95513215980fdafe8c58f95fabbe2ad96a9451f97b2ad27624ae178aaac913d
SHA5126c99a5dedf2812e1e2f10f1f81218a46c19aea999b5472604e09b931bfe0c8a8928e3ed71d51d455387702c6776237b804af15717b5bc8000f560c5441344888
-
C:\Users\Admin\AppData\Local\MLXLFKOI\FileGrabber\Desktop\RequestEnter.iniFilesize
531KB
MD50527ac8d2a3f47e1a4f8ae688ba38ef6
SHA1eb9349c62dbd0ed0609801bd7d7930e1edcad6fe
SHA256877fb7431ccbf50633733a689efbf857bd2c89ff020a34f0dcd9943159171eea
SHA5129a12302e6df5151eb1cbd1d1ad442856390a99b16db527403286fcf56b73ba509bd27cec996c0e9bfbe531ef504b446fae22d665134ccbc28b64d769719238ed
-
C:\Users\Admin\AppData\Local\MLXLFKOI\FileGrabber\Documents\ApproveSplit.docxFilesize
736KB
MD5b3fe89ba8b7e70f965765d3fa6d3cd5d
SHA1de2707e349e3cb86b0397ae82c05dd95dd05218f
SHA256dc6642b3adbf117e344071964373f94351d9a3ff1ab8fecb5ef03cbae3150065
SHA512f301782be37ec0c8adf3c0118144912bc3c1d90760b8e34dec2e2a7d0409429e41de01de08357a67b4e4285fd7b0686402baae7712e00a6f3be817395363a0b3
-
C:\Users\Admin\AppData\Local\MLXLFKOI\FileGrabber\Documents\MergeProtect.rtfFilesize
1.7MB
MD58c701ecf2c8ef5a1e7aff4f26ba436b4
SHA1c065c4a6a43dad45095cbe13bb5657fa0b5849fc
SHA256d309459f7e1c201d34f6cd90a5d916bf2656bc3215abd379a0d49fbd2c160181
SHA512a317847a1d7daa0838687425c8a8321f7f116f06f43b0a0501922044e3fb63b29b384c3ec68b1310a6f394cbfcf53f5df806c0d127a5bec71d0dcac5bb8f5dba
-
C:\Users\Admin\AppData\Local\MLXLFKOI\FileGrabber\Downloads\BackupReset.jsFilesize
792KB
MD57b4987fbddc0a65f1d7d38e39e8fb2f0
SHA1e5ec0219cb6c16653f5384decbc4cb9c96ca5677
SHA2567f008d0247e585dff383faabbd45fd1cb4c05d4623a38cddca06816014f4559b
SHA5128565f8086bd8bd47475e8b6c97cc2d36666f80dbe41acd49526150a425818a5def761d8eeecac263df13a47ea47f0965b795ad23175689d75cf6ecaec471078e
-
C:\Users\Admin\AppData\Local\MLXLFKOI\FileGrabber\Downloads\ClearWait.cssFilesize
755KB
MD51deaf47cd559e66afac726a879201b8f
SHA12385140d02f7ea9ada26bd0300c0e2875f324f81
SHA2562f78e807407308fd5039a3e34eececd5d83a78e9b03bba04c973a5100b9542c3
SHA51235dd3e17f87d01be6f64f8668c64d4f4b3245e7aa9115f49a319eee3684bd89c87946aff9fc3148e7de4fc661885629823f2b6029a4ba3edacd73eb376e6125b
-
C:\Users\Admin\AppData\Local\MLXLFKOI\FileGrabber\Pictures\ApproveNew.pngFilesize
1011KB
MD59a42b8338f0bbf461165e90607e435e7
SHA14eb361b8ff9ca6638184a2e5ce467cd95ce1f89a
SHA2562d1b1e981d3a0028d9c5efd813d31ac4f19263a4850e6884e2ffbccb988b977a
SHA5121207180893a4cfb8ffca77c361123a8615e88dc2e4f27b0ce46e6259d97ec90d33c3a4c5e42922c9c1fc74d860a96e48496c6e98a8cf3b643bb22e2f8e2008e9
-
C:\Users\Admin\AppData\Local\MLXLFKOI\FileGrabber\Pictures\BlockStep.jpgFilesize
1.1MB
MD5117a3d8acc0228eff619cdaa791cf8dc
SHA135c08b6c8a116dcbd3b3144b3eb93c363c2f9ef0
SHA25699342de9339a03a1c1096645b25f3d6eddbf162df8b5e22ea5fdc128482c22e3
SHA5123ade93cfdc657dc27ceca582504038e1d80c3593fa6cfa8517ccc99a61df4a5bc0c40096511f9e6e922bf5835128e6c7ff0747869e616df0f4bd1c07dab4ce74
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exeFilesize
1.0MB
MD53398c825546a8f031901e1e31b6304e7
SHA1ca8e0b923acf197f7cfe12c7e1b8a81087c10b40
SHA2561a59d39530e38660cc483a1b5a090036206db446ac8573f1a2ec76ba4d3e2858
SHA512ca404a7e26a586597242b51bb145b38157ab3414627e2d7168f3124b3caf9785d58e1628832a8a15bef7192a88e4fb5404b65684efc6d7d2e43c7f5d54dc270e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Set-UP.exeFilesize
1.0MB
MD53398c825546a8f031901e1e31b6304e7
SHA1ca8e0b923acf197f7cfe12c7e1b8a81087c10b40
SHA2561a59d39530e38660cc483a1b5a090036206db446ac8573f1a2ec76ba4d3e2858
SHA512ca404a7e26a586597242b51bb145b38157ab3414627e2d7168f3124b3caf9785d58e1628832a8a15bef7192a88e4fb5404b65684efc6d7d2e43c7f5d54dc270e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
C:\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
\Users\Admin\AppData\Roaming\WindowsDefenderUpdates.exeFilesize
160KB
MD58d990a112e2f4ce70e630dda9a1060b4
SHA16ea9f72e30dc042eda02424a7151ed1cbcf5a35f
SHA2563fdf1066e3b5085246f0d060dbb64c46019244b20d8da8b4d12a941e4dcc95af
SHA51235fef6f967aa2da0ce3ef4813ae2960ba0243a56e5431737d3eb95f6c0a83c91da88c24cf311c3a076899eab9923dee92bf4806a99a08472c07e74030c5c9054
-
memory/1708-240-0x0000000000AC0000-0x0000000000B00000-memory.dmpFilesize
256KB
-
memory/1772-232-0x0000000000DD0000-0x0000000000E10000-memory.dmpFilesize
256KB
-
memory/1804-138-0x0000000004A30000-0x0000000004A70000-memory.dmpFilesize
256KB
-
memory/1804-62-0x0000000000D80000-0x0000000000E8E000-memory.dmpFilesize
1.1MB
-
memory/1804-63-0x0000000000480000-0x0000000000486000-memory.dmpFilesize
24KB
-
memory/1804-64-0x0000000004A30000-0x0000000004A70000-memory.dmpFilesize
256KB